[Fedora-directory-users] Behaviour with not quite blank userPassword

[Bryan Wann]

I am puzzled as to how FDS handles binds when userPassword: is set to 
"{crypt}" without an actual crypted password following.

If I setup a user, say 'cn=bryan,ou=People,o=foo', set "userPassword: 
{crypt}", then try to bind as that DN, this is what happens:

* Bind with this DN and no password given whatsoever, fails as 
LDAP_INAPPROPRIATE_AUTH(48).  This sort of makes sense.

* Bind with this DN and password "asdf", it succeeds.

conn=539741 fd=64 slot=64 connection from 1.1.1.1 to 1.1.1.1
conn=539741 op=0 BIND dn="cn=bryan,ou=People,o=foo" method=128 version=3
conn=539741 op=0 RESULT err=0 tag=97 nentries=0 etime=0
    dn="cn=bryan,ou=people,o=foo"
conn=539741 op=1 UNBIND
conn=539741 op=1 fd=64 closed - U1

Why would it succeed when the given bind password doesn't technically 
match the blank "crypted" password field?  Is there any way to prevent this?

At the very least, could somebody tell me what sort of bind is happening 
here.  It doesn't look like an anonymous bind as those come in with no 
DN set.  This sounds like an "unauthenticated" bind, but I'm not sure.

Thanks!
--bryan